release: github.com/cloudfoundry/cf-release / 231

Github source: f67ebb73 or master branch

The cf-release v231 was released on February 23, 2016.

Important: - There are new property names for doppler and metron manifests that must be updated or Loggregator deployments will fail. - Buildpacks (except for Java) have been extracted as their own releases, but submoduled back into cf-release with symlinks for the jobs and packages to eliminate impact on the current workflow of deploying the platform from a monolithic cf-release. You do not need to manually build and upload an additional set of releases (unless you want to). These buildpacks are no longer package dependencies of Cloud Controller, rather they are (no-op) jobs that are colocated with the Cloud Controller. To have an uninterrupted experience, you will need to colocate the new buildpack templates with the cloud_controller_ng template and update the package references in the cc.buildpacks property; see this mailing list thread for some further discussion. If you are using the “spiff” manifest generation tooling, and are not overriding the api_templates then you will get this change for free. - If using the DEA backend, the dea_next and hm9000 jobs should be colocated with a consul_agent job as they now rely on Consul for internal service discovery, including downloading blob assets from the CC via internal DNS. For this case, cloud_controller_ng jobs must also be colocated with the consul_agent job, and register the appropriate service. It is strongly advised that any job colocated with consul_agent should have consul_agent first in the templates list. (Note, the “spiff”-based manifest generation tooling provided in this repo is missing this configuration in the case of OpenStack). - This releases introduces a new blobstore job using the webdav protocol instead of nfs. Several manifest changes required if currently using the nfs job. See job spec changes below - v231 contains a performance regression in Gorouter introduced in v228. At low request volume, the issue is not observable; only at higher request volumes (such as a load test) is the regression evident. The regression was fixed in v234.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Stemcell Versions - Recommended diego-release Version - Recommended garden-linux-release Version - Recommended etcd-release Version

CC and Service Broker APIs

CC API Version: 2.51.0

Service Broker API Version: 2.8

IMPORTANT: Manifest changes required for all deployments, whether using nfs or other blobstore. - Doc describing required manifest changes. details

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Tasks details
  • Add docs for using the USR1 trap for diagnostics details
  • Update rails to 4.2.5.1 details
  • Added support for webdav protocol details
    • This addition is considered experimental currently. Additional work to simplify the deployment and secure one part of the connection is in progress.
  • Remove incorrectly documented query param - organization_guid on /v2/apps/:guid/routes details
  • Fixed cloudfoundry/cloud_controller_ng #524: “/v2/apps/:guid/summary” will return duplicated “name” keys in JSON response details
  • cloudfoundry/cloud_controller_ng #522: Set TMPDIR for local worker details
  • Generate seed values for default environment variable groups details
  • Check for basic auth against clients that properly follow URI encoding - continue to support dea backend, which does not properly follow the conventions details
  • Remove organization_guid from listing all app routes docs details
  • Fixed cloudfoundry/cloud_controller_ng #528: Apps in space summary do not contain route paths details
  • Can toggle private service broker creation with a feature flag details
    • cf enable-feature-flag space_scoped_private_broker_creation
    • cf disable-feature-flag space_scoped_private_broker_creation
  • Fixed cloudfoundry/cloud_controller_ng #508: List Service Instance for a Service Plan documents invalid query parameter details
  • Fixed cloudfoundry/cloud_controller_ng #509: List Service Instance for a Service Plan documents invalid query parameter (2) details
  • Fixed cloudfoundry/cloud_controller_ng #499: Get Space Summary does not document last_operation parameter type details
  • Fixed cloudfoundry/cloud_controller_ng #511: Get the instance information for a STARTED App does not document field details
    • Documents DEA/Diego responses
  • Fixed cloudfoundry/cloud_controller_ng #536: Delete Service does not document response payload details
  • [cf-dev] Update apidocs for space quota and org quota to indicate unlimited values for total_routes and total_services details

Runtime

No changes.

Buildpacks and Stacks

stacks

updated to 1.36.0 (from 1.31.0)

1.36.0

Notably, this release addresses USN-2902-1 “graphite2 vulnerabilities”: - CVE-2016-1521: An exploitable out-of-bounds read vulnerability exists in the opcode handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds read resulting in arbitrary code execution. An attacker can provide a malicious font to trigger this vulnerability. - CVE-2016-1522: An exploitable out-of-bounds access vulnerability exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds access resulting in arbitrary code execution. An attacker can provide a malicious font to trigger this vulnerability. - CVE-2016-1523: An exploitable heap-based buffer overflow exists in the context item handling functionality of Libgraphite. A specially crafted font can cause a buffer overflow resulting in potential code execution. An attacker can provide a malicious font to trigger this vulnerability. - CVE-2016-1526: No description provided

1.35.0

Notably, this release addresses USN-2900-1 “GNU C Library vulnerability”: - CVE-2015-7547: GNU C Library could be made to crash or run programs if it received specially crafted network traffic.

1.34.0

Notably, this release addresses USN-2897-1 “Nettle vulnerabilities” and USN-2896-1 “Libgcrypt vulnerability”: - CVE-2015-8803: secp256 calculation bug - CVE-2015-8804: Miscalculations on secp384 curve - CVE-2015-8805: miscomputation bugs in secp-256r1 modulo functions - CVE-2015-7511: ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs

1.33.0

This release contains only non-critical updates to the rootfs. See the receipt changes at this commit for more information.

1.32.0

Notably, this release addresses USN-2882-1 “curl vulnerability”: - CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use

java-buildpack

updated to v3.6 (from v3.5.1)

v3.6

I’m pleased to announce the release of the java-buildpack, version 3.6. This release contains improvements to the Luna HA and GemFire support and updates to the dependencies.

For a more detailed look at the changes in 3.6, please take a look at the commit log. Packaged versions of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.

Packaged Dependencies

Dependency Version
AppDynamics Agent 4.1.8_5
GemFire 8.2.0
GemFire Modules 8.2.0
GemFire Modules Tomcat7 8.2.0
GemFire Security 8.2.0
Groovy 2.4.5
JRebel 6.3.2
Log4j API 2.1.0
Log4j Core 2.1.0
Log4j Jcl 2.1.0
Log4j Jul 2.1.0
Log4j Slf4j 2.1.0
MariaDB JDBC 1.3.4
Memory Calculator (mountainlion) 2.0.1.RELEASE
Memory Calculator (precise) 2.0.1.RELEASE
Memory Calculator (trusty) 2.0.1.RELEASE
New Relic Agent 3.25.0
OpenJDK JRE (mountainlion) 1.8.0_71
OpenJDK JRE (precise) 1.8.0_71
OpenJDK JRE (trusty) 1.8.0_71
Play Framework JPA Plugin 1.10.0.RELEASE
PostgreSQL JDBC 9.4.1207
RedisStore 1.2.0_RELEASE
SLF4J API 1.7.7
SLF4J JDK14 1.7.7
Spring Auto-reconfiguration 1.10.0_RELEASE
Spring Boot CLI 1.3.2_RELEASE
Tomcat Access Logging Support 2.5.0_RELEASE
Tomcat Lifecycle Support 2.5.0_RELEASE
Tomcat Logging Support 2.5.0_RELEASE
Tomcat 8.30.0
YourKit Profiler 2015.15086.0

php-buildpack

updated to v4.3.5 (from v4.3.3)

v4.3.5

Packaged binaries:

name version cf_stacks modules
php 5.5.31 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.32 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.17 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.18 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 7.0.3 cflinuxfs2 bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, imap, ldap, lua, mailparse, mbstring, mcrypt, mongodb, msgpack, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, pspell, snmp, soap, sockets, xsl, yaf, zip, zlib
composer 1.0.0-alpha11 cflinuxfs2
httpd 2.4.18 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.1 cflinuxfs2
nginx 1.9.10 cflinuxfs2
  • SHA256: 3c8508491196427ef3752469dae6e674e4f15d944aa7a9d897d4eca949ab6cef

v4.3.4

Note that nginx 1.9.10 is a security update for the following CVEs: - CVE-2016-0742 - CVE-2016-0746 - CVE-2016-0747

Packaged binaries:

name version cf_stacks modules
php 5.5.30 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.31 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.16 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.17 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
hhvm 3.5.0 cflinuxfs2
hhvm 3.5.1 cflinuxfs2
hhvm 3.6.0 cflinuxfs2
hhvm 3.6.1 cflinuxfs2
composer 1.0.0-alpha10 cflinuxfs2
httpd 2.4.18 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.8.1 cflinuxfs2
nginx 1.9.10 cflinuxfs2
  • SHA256: 3c2ce68641fc0eae64c26669fbf2f765797aea7713d8f20eb768a566778144e4

ruby-buildpack

updated to v1.6.13 (from v1.6.12)

v1.6.13

Packaged binaries:

name version cf_stacks
ruby 2.0.0 cflinuxfs2
ruby 2.1.7 cflinuxfs2
ruby 2.1.8 cflinuxfs2
ruby 2.2.3 cflinuxfs2
ruby 2.2.4 cflinuxfs2
ruby 2.3.0 cflinuxfs2
jruby ruby-1.9.3-jruby-1.7.24 cflinuxfs2
jruby ruby-2.0.0-jruby-1.7.24 cflinuxfs2
jruby ruby-2.2.3-jruby-9.0.5.0 cflinuxfs2
node 0.12.7 cflinuxfs2
bundler 1.9.7 cflinuxfs2
libyaml 0.1.6 cflinuxfs2
openjdk1.8-latest 1.8.0_73 cflinuxfs2
rails3_serve_static_assets - cflinuxfs2
rails_log_stdout - cflinuxfs2
  • SHA256: f64614ae377962af83262f7328f818a6612c01f0e43367bfa60fee354eb6f6c4

staticfile-buildpack

updated to v1.3.1 (from v1.3.0)

v1.3.1

Note that nginx 1.9.10 is a security update for the following CVEs: - CVE-2016-0742 - CVE-2016-0746 - CVE-2016-0747

Packaged binaries:

name version cf_stacks
nginx 1.9.10 cflinuxfs2
  • SHA256: 912f17732b79ca05ac1d58e305085cbf2ba31c320435c11df4ebce8fe11a7739

Identity

Updated to UAA Release 3.1.0

Routing

Route Paths - CC API no longer permits a route to be created from a shared domain if another route with the same hostname has been created in another space, regardless of the path details

Route Services - The scheme for the url to which route services should send requests after processing (x-cf-forwarded-url) defaults to https, but can be configured to http for dev environments details - Experimental label removed from CC API for Route Services details - X-Cf-Forwarded-Url header is no longer forwarded to apps when request came through a route service details

Gorouter Misc - A deploy of Gorouter now succeeds only after it is ready to accept any connections details - Gorouter no longer uses 8.8.8.8 for DNS to resolve internal hostname for UAA when consul agent isn’t running. Instead Gorouter continues asking consul agent on localhost until it responds details - Gorouter metrics token_fetch_errors and subscribe_events_errors are now emitted via firehose details - Improvements to Gorouter logging details - Gorouter exposes number of events received from route-emitter so that this can be compared with the number of events route-emitter sent details

TCP Routing - Routing API is no longer deployed with cf-release to bosh-lite by default; it is being moved to cf-routing-release details - CC API now exposes router group type for shared domains details

Multiple App Ports - CC API now enables clients to specify an app port when mapping an HTTP route to an app details - CC API exposes app ports that routes are mapped to on new endpoint /v2/routing_mappings details - CC API supports deleting route mappings through the new endpoint /v2/route_mappings/:guid details - When deleting an app or route from CC API, associated route_mappings are also deleted details - When CC API is used to update an app, enabling diego and specifying multiple app ports, routes are mapped to the first app port in the list details - When CC API is used to update an app, disabling diego, app ports are no longer exposed for route mappings details

Acceptance Tests - cloudfoundry/cf-acceptance-tests #87: some routing tests don’t have code to print logs in AfterEach details - cloudfoundry/cf-acceptance-tests #86: routing suite doesn’t do cleanup properly details - update cats to use cli for context path route coverage details

Loggregator

  • Loggregator is now available as a separate release which can be consumed by other BOSH deployments and emit logs and metrics to a CF Loggregator chain. This may be useful to services that wish to generate metrics and logs.
  • Doppler metrics added
    • dopplerProxy.recentlogsLatency
    • dopplerProxy.containermetricsLatency
    • numberOfContainerMetricSinks

BOSH property name change. These are required doppler.tls_server.cert –> doppler.tls.server_cert doppler.tls_server.key –> doppler.tls.server_key doppler.tls_server.port –> doppler.tls.port doppler.enable_tls_transport –> doppler.tls.enable metron_agent.tls_client.key –> metron_agent.tls.client_key metron_agent.tls_client.cert –> metron_agent.tls.client_cert loggregator.tls.ca –> loggregator.tls.ca_cert

Doppler and Traffic Controller no longer log ids and passwords that are passed in to their endpoints.

Internal Components

consul

  • Fix regression where already-encoded encrypt keys were being double-encoded. details
  • Fix bug where consul process would be orphaned when the network interface was slow to come up. details
  • Agent checks for servers on startup in an IP-agnostic way to support infrastructures like GCE. details, original PR
  • Numerous non-functional changes (refactors and test improvements)

etcd

No changes.

etcd-metrics-server

No changes.

route_registrar

  • Handle interrupt signals instantly instead of blocking on healthchecks. details
  • Handle health checks asynchronously instead of blocking. details
  • Validate route registration configuration thoroughly. details, details, details, details
  • Fix regression where tag stopped being included in route registration messages. details
  • Time intervals for route_registrar configuration now require units. details
  • Aggregate validation errors to give more complete feedback when misconfigured. details
  • Healthcheck timeout defaults to half the registration interval if not provided. details
  • Healthcheck script will be killed when they exceed the timeout. details

Job Spec Changes

  • Added dns_health_check_host to etcd job with default "consul.service.cf.internal" (should not require overriding configuration). details
  • Removed route_registrar.update_frequency_in_seconds property from route_registrar job, and moved the configuration down to a per-route basis under the route_registrar.routes property. details
  • Made several changes to route_registrar.routes property in the route_registrar job to support health checking and timeouts. details
  • Several changes to UAA job spec. Please see here

NFS to WebDav related changes Please see this doc for more details and how to move to webdav without losing data from the existing nfs job - Added default value “/var/vcap/nfs” to nfs_server.share_path property in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.resource_pool.blobstore_type property with default value fog in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.resource_pool.webdav_config.public_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.resource_pool.webdav_config.private_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.resource_pool.webdav_config.username, cc.resource_pool.webdav_config.password, and cc.packages.webdav_config.secret in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.packages.blobstore_type property with default value fog in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.packages.webdav_config.public_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.packages.webdav_config.private_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.packages.webdav_config.username, cc.packages.webdav_config.password, and cc.packages.webdav_config.secret in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.droplets.blobstore_type property with default value fog in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.droplets.webdav_config.public_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.droplets.webdav_config.private_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.droplets.webdav_config.username, cc.droplets.webdav_config.password, and cc.droplets.webdav_config.secret in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.buildpacks.blobstore_type property with default value fog in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.buildpacks.webdav_config.public_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.buildpacks.webdav_config.private_endpoint, in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added cc.buildpacks.webdav_config.username, cc.buildpacks.webdav_config.password, and cc.buildpacks.webdav_config.secret in the cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details - Added new blobstore job to replace nfs job - Added blobstore.port in the blobstore job details - Added blobstore.admin_users in the blobstore job details - Added blobstore.secure_link.secret in the blobstore job details - Added blobstore.max_upload_size in the blobstore job details - Added domain in the blobstore job details

Recommended BOSH Stemcell Versions

  • AWS: light-bosh-stemcell-3197-aws-xen-hvm-ubuntu-trusty-go_agent
  • vSphere: bosh-stemcell-3197-vsphere-esxi-ubuntu-trusty-go_agent
  • OpenStack: bosh-stemcell-3197-openstack-kvm-ubuntu-trusty-go_agent
  • BOSH-Lite: bosh-stemcell-3147-warden-boshlite-ubuntu-trusty-go_agent

These are soft recommendations; several different versions of the BOSH and stemcells are likely to work fine with this version of cf-release and the corresponding versions of diego-release, garden-linux-release, and etcd-release.

Recommended diego-release Version

This is a soft recommendation; several different versions of diego-release may work fine with this version of cf-release.

Recommended garden-linux-release Version

This is a soft recommendation; several different versions of the garden-linux-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Recommended etcd-release Version

  • etcd final release v36

This is a soft recommendation; several different versions of the etcd-release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=231

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "231"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 456a52f8a03728708252910eef90dc490bcb76a3 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=231

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=231